Let Remote Users Safely Change Their IP Addresses


Let Remote Users Safely Change Their IP Addresses

\[Editor's Note: Email your Windows 2000 or Windows NT security tips or solutions (400 words or less) to Reader to Reader at [email protected] We edit submissions for style, grammar, and length. If we print your contribution, you receive $100.\]

In Win2K and NT, nonadministrative users can't change their IP addresses. Although this feature is great for security, it's problematic for mobile employees who need the ability to change their addresses. For example, my organization has engineers who travel to customer sites and must configure their laptops to talk to customers' systems, whose IP addresses and subnet masks vary. I wanted to let the engineers change their laptop IP addresses without giving them administrative rights to the system, so I developed a method to perform this in Win2K.

The Windows 2000 Resource Kit's Netset utility lets you change an IP address based on the contents of an answer file. You can't run Netset unless you're an administrator, however, so I created a nonscheduled Win2K task that runs a batch file that contains the command

netset c:\filename.txt

where filename.txt is the name of a file that contains the data in Listing 1. I used the Win2K Task Scheduler to skirt the requirement that an administrator run the task. The Task Scheduler lets you enter the name and password of a user to make the task run as if that user started it. I specified Administrator as the user and supplied the password. I called the task ChangeIP.

Before users run the task, they edit the text file. (I provide them with a desktop shortcut to open the file with Notepad.) First, in the line at callout B in Listing 1, users enter their domain for yourdomain.com. Then, they change the lines related to the IP address, as you see at callout C in Listing 1. Next, the users save the file, run the task from the Task Scheduler (I provide my users with a desktop shortcut to Task Scheduler), then reboot to apply the changes. To check that the address is set correctly, users can run Win2K's Ipconfig utility. I provide my users with a desktop icon that runs Ipconfig (the icon is a shortcut to a batch file that runs Ipconfig with a pause so that the output doesn't fly by too quickly to read).

For multiple NICs, remove the InflD=* line at callout A in Listing 1 and replace it with

PciBusNumber = 0
PciDeviceNumber = 16
PciFunctionNumber = 0

which identify the hardware address of the card. To obtain the hardware address of the NIC, right-click My Network Places on your desktop, click Properties, double-click the NIC you want to change, click Properties, then click Configure. The screen shows the location of the card and which numbers to use.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.